From 0d3103d97e91163cedb427a5f944c7db9e688805 Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Thu, 3 Aug 2023 15:44:10 +0200
Subject: [PATCH] - bundled dateutil: fix tarfile CVE-2007-4559   Resolves:
 rhbz#2217902

---
 ...ure-fix-bundled-dateutil-CVE-2007-4559.patch |  0
 ...irt-fix-bundled-dateutil-CVE-2007-4559.patch | 17 +++++++++++++++++
 fence-agents.spec                               | 13 +++++++++----
 3 files changed, 26 insertions(+), 4 deletions(-)
 rename bz2217902-fix-bundled-dateutil-CVE-2007-4559.patch => bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch (100%)
 create mode 100644 bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch

diff --git a/bz2217902-fix-bundled-dateutil-CVE-2007-4559.patch b/bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
similarity index 100%
rename from bz2217902-fix-bundled-dateutil-CVE-2007-4559.patch
rename to bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
diff --git a/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch b/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
new file mode 100644
index 0000000..97707a5
--- /dev/null
+++ b/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
@@ -0,0 +1,17 @@
+--- a/kubevirt/dateutil/zoneinfo/rebuild.py	2023-01-26 16:29:30.000000000 +0100
++++ b/kubevirt/dateutil/zoneinfo/rebuild.py	2023-07-19 10:12:42.277559948 +0200
+@@ -21,7 +21,12 @@
+     try:
+         with TarFile.open(filename) as tf:
+             for name in zonegroups:
+-                tf.extract(name, tmpdir)
++                if hasattr(tarfile, 'data_filter'):
++                    # Python with CVE-2007-4559 mitigation (PEP 706)
++                    tf.extract(name, tmpdir, filter='data')
++                else:
++                    # Fallback to a possibly dangerous extraction (before PEP 706)
++                    tf.extract(name, tmpdir)
+             filepaths = [os.path.join(tmpdir, n) for n in zonegroups]
+ 
+             _run_zic(zonedir, filepaths)
+
diff --git a/fence-agents.spec b/fence-agents.spec
index c53beaf..20fe6e2 100644
--- a/fence-agents.spec
+++ b/fence-agents.spec
@@ -59,7 +59,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 54%{?alphatag:.%{alphatag}}%{?dist}
+Release: 55%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@@ -239,7 +239,8 @@ Patch45: bz2221643-fence_ibm_powervs-performance-improvements.patch
 Patch46: bz2224267-fence_ipmilan-fix-typos-in-metadata.patch
 
 ### HA support libs/utils ###
-Patch1000: bz2217902-fix-bundled-dateutil-CVE-2007-4559.patch
+Patch1000: bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
+Patch1001: bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
 
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
 %ifarch x86_64
@@ -431,7 +432,7 @@ sed -i -e "/^import awscli.clidriver/isys.path.insert(0, '/usr/lib/%{name}/suppo
 # Patch1000
 %ifarch x86_64
 pushd support
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-fix-bundled-dateutil-CVE-2007-4559.patch
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
 popd
 %endif
 
@@ -439,6 +440,10 @@ popd
 %{__python3} -m pip install --user --no-index --find-links %{_sourcedir} setuptools-scm
 %{__python3} -m pip install --target support/kubevirt --no-index --find-links %{_sourcedir} openshift
 rm -rf kubevirt/rsa*
+# Patch1001
+pushd support
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+popd
 
 ./autogen.sh
 %{configure} --disable-libvirt-qmf-plugin PYTHONPATH="support/aliyun:support/aws:support/azure:support/google:support/common" \
@@ -1472,7 +1477,7 @@ are located on corosync cluster nodes.
 %endif
 
 %changelog
-* Thu Jul 20 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-54
+* Thu Aug  3 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-55
 - bundled dateutil: fix tarfile CVE-2007-4559
   Resolves: rhbz#2217902
 - fence_ipmilan: fix typos in metadata